1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17 package org.eclipse.jetty.util.ssl;
18
19 import java.io.ByteArrayInputStream;
20 import java.io.ByteArrayOutputStream;
21 import java.io.File;
22 import java.io.IOException;
23 import java.io.InputStream;
24 import java.net.InetAddress;
25 import java.security.InvalidParameterException;
26 import java.security.KeyStore;
27 import java.security.SecureRandom;
28 import java.security.Security;
29 import java.security.cert.CRL;
30 import java.security.cert.CertStore;
31 import java.security.cert.Certificate;
32 import java.security.cert.CollectionCertStoreParameters;
33 import java.security.cert.PKIXBuilderParameters;
34 import java.security.cert.X509CertSelector;
35 import java.util.Arrays;
36 import java.util.Collection;
37 import java.util.Collections;
38 import java.util.HashSet;
39 import java.util.List;
40 import java.util.Set;
41 import javax.net.ssl.CertPathTrustManagerParameters;
42 import javax.net.ssl.KeyManager;
43 import javax.net.ssl.KeyManagerFactory;
44 import javax.net.ssl.SSLContext;
45 import javax.net.ssl.SSLEngine;
46 import javax.net.ssl.SSLServerSocket;
47 import javax.net.ssl.SSLServerSocketFactory;
48 import javax.net.ssl.SSLSocket;
49 import javax.net.ssl.SSLSocketFactory;
50 import javax.net.ssl.TrustManager;
51 import javax.net.ssl.TrustManagerFactory;
52 import javax.net.ssl.X509KeyManager;
53 import javax.net.ssl.X509TrustManager;
54
55 import org.eclipse.jetty.util.IO;
56 import org.eclipse.jetty.util.component.AbstractLifeCycle;
57 import org.eclipse.jetty.util.log.Log;
58 import org.eclipse.jetty.util.log.Logger;
59 import org.eclipse.jetty.util.resource.Resource;
60 import org.eclipse.jetty.util.security.CertificateUtils;
61 import org.eclipse.jetty.util.security.CertificateValidator;
62 import org.eclipse.jetty.util.security.Password;
63
64
65
66
67
68
69
70
71
72 public class SslContextFactory extends AbstractLifeCycle
73 {
74 private static final Logger LOG = Log.getLogger(SslContextFactory.class);
75
76 public static final String DEFAULT_KEYMANAGERFACTORY_ALGORITHM =
77 (Security.getProperty("ssl.KeyManagerFactory.algorithm") == null ?
78 "SunX509" : Security.getProperty("ssl.KeyManagerFactory.algorithm"));
79 public static final String DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM =
80 (Security.getProperty("ssl.TrustManagerFactory.algorithm") == null ?
81 "SunX509" : Security.getProperty("ssl.TrustManagerFactory.algorithm"));
82
83
84 public static final String DEFAULT_KEYSTORE_PATH =
85 System.getProperty("user.home") + File.separator + ".keystore";
86
87
88 public static final String KEYPASSWORD_PROPERTY = "org.eclipse.jetty.ssl.keypassword";
89
90
91 public static final String PASSWORD_PROPERTY = "org.eclipse.jetty.ssl.password";
92
93
94 private final Set<String> _excludeProtocols = new HashSet<String>();
95
96
97 private Set<String> _includeProtocols = null;
98
99
100 private final Set<String> _excludeCipherSuites = new HashSet<String>();
101
102 private Set<String> _includeCipherSuites = null;
103
104
105 private String _keyStorePath;
106
107 private String _keyStoreProvider;
108
109 private String _keyStoreType = "JKS";
110
111 private InputStream _keyStoreInputStream;
112
113
114 private String _certAlias;
115
116
117 private String _trustStorePath;
118
119 private String _trustStoreProvider;
120
121 private String _trustStoreType = "JKS";
122
123 private InputStream _trustStoreInputStream;
124
125
126 private boolean _needClientAuth = false;
127
128 private boolean _wantClientAuth = false;
129
130
131 private boolean _allowRenegotiate = true;
132
133
134 private transient Password _keyStorePassword;
135
136 private transient Password _keyManagerPassword;
137
138 private transient Password _trustStorePassword;
139
140
141 private String _sslProvider;
142
143 private String _sslProtocol = "TLS";
144
145
146 private String _secureRandomAlgorithm;
147
148 private String _keyManagerFactoryAlgorithm = DEFAULT_KEYMANAGERFACTORY_ALGORITHM;
149
150 private String _trustManagerFactoryAlgorithm = DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM;
151
152
153 private boolean _validateCerts;
154
155 private boolean _validatePeerCerts;
156
157 private int _maxCertPathLength = -1;
158
159 private String _crlPath;
160
161 private boolean _enableCRLDP = false;
162
163 private boolean _enableOCSP = false;
164
165 private String _ocspResponderURL;
166
167
168 private KeyStore _keyStore;
169
170 private KeyStore _trustStore;
171
172 private boolean _sessionCachingEnabled = true;
173
174 private int _sslSessionCacheSize;
175
176 private int _sslSessionTimeout;
177
178
179 private SSLContext _context;
180
181 private boolean _trustAll;
182
183
184
185
186
187
188 public SslContextFactory()
189 {
190 _trustAll=true;
191 }
192
193
194
195
196
197
198 public SslContextFactory(boolean trustAll)
199 {
200 _trustAll=trustAll;
201 }
202
203
204
205
206
207
208 public SslContextFactory(String keyStorePath)
209 {
210 _keyStorePath = keyStorePath;
211 }
212
213
214
215
216
217
218 @Override
219 protected void doStart() throws Exception
220 {
221 if (_context == null)
222 {
223 if (_keyStore==null && _keyStoreInputStream == null && _keyStorePath == null &&
224 _trustStore==null && _trustStoreInputStream == null && _trustStorePath == null )
225 {
226 TrustManager[] trust_managers=null;
227
228 if (_trustAll)
229 {
230 LOG.debug("No keystore or trust store configured. ACCEPTING UNTRUSTED CERTIFICATES!!!!!");
231
232 TrustManager trustAllCerts = new X509TrustManager()
233 {
234 public java.security.cert.X509Certificate[] getAcceptedIssuers()
235 {
236 return null;
237 }
238
239 public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType)
240 {
241 }
242
243 public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType)
244 {
245 }
246 };
247 trust_managers = new TrustManager[] { trustAllCerts };
248 }
249
250 SecureRandom secureRandom = (_secureRandomAlgorithm == null)?null:SecureRandom.getInstance(_secureRandomAlgorithm);
251 _context = SSLContext.getInstance(_sslProtocol);
252 _context.init(null, trust_managers, secureRandom);
253 }
254 else
255 {
256
257
258 checkKeyStore();
259
260 KeyStore keyStore = loadKeyStore();
261 KeyStore trustStore = loadTrustStore();
262
263 Collection<? extends CRL> crls = loadCRL(_crlPath);
264
265 if (_validateCerts && keyStore != null)
266 {
267 if (_certAlias == null)
268 {
269 List<String> aliases = Collections.list(keyStore.aliases());
270 _certAlias = aliases.size() == 1 ? aliases.get(0) : null;
271 }
272
273 Certificate cert = _certAlias == null?null:keyStore.getCertificate(_certAlias);
274 if (cert == null)
275 {
276 throw new Exception("No certificate found in the keystore" + (_certAlias==null ? "":" for alias " + _certAlias));
277 }
278
279 CertificateValidator validator = new CertificateValidator(trustStore, crls);
280 validator.setMaxCertPathLength(_maxCertPathLength);
281 validator.setEnableCRLDP(_enableCRLDP);
282 validator.setEnableOCSP(_enableOCSP);
283 validator.setOcspResponderURL(_ocspResponderURL);
284 validator.validate(keyStore, cert);
285 }
286
287 KeyManager[] keyManagers = getKeyManagers(keyStore);
288 TrustManager[] trustManagers = getTrustManagers(trustStore,crls);
289
290 SecureRandom secureRandom = (_secureRandomAlgorithm == null)?null:SecureRandom.getInstance(_secureRandomAlgorithm);
291 _context = (_sslProvider == null)?SSLContext.getInstance(_sslProtocol):SSLContext.getInstance(_sslProtocol,_sslProvider);
292 _context.init(keyManagers,trustManagers,secureRandom);
293
294 SSLEngine engine=newSslEngine();
295
296 LOG.info("Enabled Protocols {} of {}",Arrays.asList(engine.getEnabledProtocols()),Arrays.asList(engine.getSupportedProtocols()));
297 if (LOG.isDebugEnabled())
298 LOG.debug("Enabled Ciphers {} of {}",Arrays.asList(engine.getEnabledCipherSuites()),Arrays.asList(engine.getSupportedCipherSuites()));
299 }
300 }
301 }
302
303
304
305
306
307
308 public String[] getExcludeProtocols()
309 {
310 return _excludeProtocols.toArray(new String[_excludeProtocols.size()]);
311 }
312
313
314
315
316
317
318
319 public void setExcludeProtocols(String... protocols)
320 {
321 checkNotStarted();
322
323 _excludeProtocols.clear();
324 _excludeProtocols.addAll(Arrays.asList(protocols));
325 }
326
327
328
329
330
331 public void addExcludeProtocols(String... protocol)
332 {
333 checkNotStarted();
334 _excludeProtocols.addAll(Arrays.asList(protocol));
335 }
336
337
338
339
340
341
342 public String[] getIncludeProtocols()
343 {
344 return _includeProtocols.toArray(new String[_includeProtocols.size()]);
345 }
346
347
348
349
350
351
352
353 public void setIncludeProtocols(String... protocols)
354 {
355 checkNotStarted();
356
357 _includeProtocols = new HashSet<String>(Arrays.asList(protocols));
358 }
359
360
361
362
363
364
365 public String[] getExcludeCipherSuites()
366 {
367 return _excludeCipherSuites.toArray(new String[_excludeCipherSuites.size()]);
368 }
369
370
371
372
373
374
375
376 public void setExcludeCipherSuites(String... cipherSuites)
377 {
378 checkNotStarted();
379 _excludeCipherSuites.clear();
380 _excludeCipherSuites.addAll(Arrays.asList(cipherSuites));
381 }
382
383
384
385
386
387 public void addExcludeCipherSuites(String... cipher)
388 {
389 checkNotStarted();
390 _excludeCipherSuites.addAll(Arrays.asList(cipher));
391 }
392
393
394
395
396
397
398 public String[] getIncludeCipherSuites()
399 {
400 return _includeCipherSuites.toArray(new String[_includeCipherSuites.size()]);
401 }
402
403
404
405
406
407
408
409 public void setIncludeCipherSuites(String... cipherSuites)
410 {
411 checkNotStarted();
412
413 _includeCipherSuites = new HashSet<String>(Arrays.asList(cipherSuites));
414 }
415
416
417
418
419
420 public String getKeyStorePath()
421 {
422 return _keyStorePath;
423 }
424
425
426 @Deprecated
427 public String getKeyStore()
428 {
429 return _keyStorePath;
430 }
431
432
433
434
435
436
437 public void setKeyStorePath(String keyStorePath)
438 {
439 checkNotStarted();
440
441 _keyStorePath = keyStorePath;
442 }
443
444
445
446
447
448
449 @Deprecated
450 public void setKeyStore(String keyStorePath)
451 {
452 checkNotStarted();
453
454 _keyStorePath = keyStorePath;
455 }
456
457
458
459
460
461 public String getKeyStoreProvider()
462 {
463 return _keyStoreProvider;
464 }
465
466
467
468
469
470
471 public void setKeyStoreProvider(String keyStoreProvider)
472 {
473 checkNotStarted();
474
475 _keyStoreProvider = keyStoreProvider;
476 }
477
478
479
480
481
482 public String getKeyStoreType()
483 {
484 return (_keyStoreType);
485 }
486
487
488
489
490
491
492 public void setKeyStoreType(String keyStoreType)
493 {
494 checkNotStarted();
495
496 _keyStoreType = keyStoreType;
497 }
498
499
500
501
502
503
504
505 @Deprecated
506 public InputStream getKeyStoreInputStream()
507 {
508 checkKeyStore();
509
510 return _keyStoreInputStream;
511 }
512
513
514
515
516
517
518
519 @Deprecated
520 public void setKeyStoreInputStream(InputStream keyStoreInputStream)
521 {
522 checkNotStarted();
523
524 _keyStoreInputStream = keyStoreInputStream;
525 }
526
527
528
529
530
531 public String getCertAlias()
532 {
533 return _certAlias;
534 }
535
536
537
538
539
540
541 public void setCertAlias(String certAlias)
542 {
543 checkNotStarted();
544
545 _certAlias = certAlias;
546 }
547
548
549
550
551
552 public String getTrustStore()
553 {
554 return _trustStorePath;
555 }
556
557
558
559
560
561
562 public void setTrustStore(String trustStorePath)
563 {
564 checkNotStarted();
565
566 _trustStorePath = trustStorePath;
567 }
568
569
570
571
572
573 public String getTrustStoreProvider()
574 {
575 return _trustStoreProvider;
576 }
577
578
579
580
581
582
583 public void setTrustStoreProvider(String trustStoreProvider)
584 {
585 checkNotStarted();
586
587 _trustStoreProvider = trustStoreProvider;
588 }
589
590
591
592
593
594 public String getTrustStoreType()
595 {
596 return _trustStoreType;
597 }
598
599
600
601
602
603
604 public void setTrustStoreType(String trustStoreType)
605 {
606 checkNotStarted();
607
608 _trustStoreType = trustStoreType;
609 }
610
611
612
613
614
615
616
617 @Deprecated
618 public InputStream getTrustStoreInputStream()
619 {
620 checkKeyStore();
621
622 return _trustStoreInputStream;
623 }
624
625
626
627
628
629
630
631 @Deprecated
632 public void setTrustStoreInputStream(InputStream trustStoreInputStream)
633 {
634 checkNotStarted();
635
636 _trustStoreInputStream = trustStoreInputStream;
637 }
638
639
640
641
642
643
644 public boolean getNeedClientAuth()
645 {
646 return _needClientAuth;
647 }
648
649
650
651
652
653
654
655 public void setNeedClientAuth(boolean needClientAuth)
656 {
657 checkNotStarted();
658
659 _needClientAuth = needClientAuth;
660 }
661
662
663
664
665
666
667 public boolean getWantClientAuth()
668 {
669 return _wantClientAuth;
670 }
671
672
673
674
675
676
677
678 public void setWantClientAuth(boolean wantClientAuth)
679 {
680 checkNotStarted();
681
682 _wantClientAuth = wantClientAuth;
683 }
684
685
686
687
688
689
690 @Deprecated
691 public boolean getValidateCerts()
692 {
693 return _validateCerts;
694 }
695
696
697
698
699
700 public boolean isValidateCerts()
701 {
702 return _validateCerts;
703 }
704
705
706
707
708
709
710 public void setValidateCerts(boolean validateCerts)
711 {
712 checkNotStarted();
713
714 _validateCerts = validateCerts;
715 }
716
717
718
719
720
721 public boolean isValidatePeerCerts()
722 {
723 return _validatePeerCerts;
724 }
725
726
727
728
729
730
731 public void setValidatePeerCerts(boolean validatePeerCerts)
732 {
733 checkNotStarted();
734
735 _validatePeerCerts = validatePeerCerts;
736 }
737
738
739
740
741
742 public boolean isAllowRenegotiate()
743 {
744 return _allowRenegotiate;
745 }
746
747
748
749
750
751
752
753
754
755
756
757
758 public void setAllowRenegotiate(boolean allowRenegotiate)
759 {
760 checkNotStarted();
761
762 _allowRenegotiate = allowRenegotiate;
763 }
764
765
766
767
768
769
770 public void setKeyStorePassword(String password)
771 {
772 checkNotStarted();
773
774 _keyStorePassword = Password.getPassword(PASSWORD_PROPERTY,password,null);
775 }
776
777
778
779
780
781
782 public void setKeyManagerPassword(String password)
783 {
784 checkNotStarted();
785
786 _keyManagerPassword = Password.getPassword(KEYPASSWORD_PROPERTY,password,null);
787 }
788
789
790
791
792
793
794 public void setTrustStorePassword(String password)
795 {
796 checkNotStarted();
797
798 _trustStorePassword = Password.getPassword(PASSWORD_PROPERTY,password,null);
799 }
800
801
802
803
804
805
806 public String getProvider()
807 {
808 return _sslProvider;
809 }
810
811
812
813
814
815
816
817 public void setProvider(String provider)
818 {
819 checkNotStarted();
820
821 _sslProvider = provider;
822 }
823
824
825
826
827
828
829 public String getProtocol()
830 {
831 return _sslProtocol;
832 }
833
834
835
836
837
838
839
840 public void setProtocol(String protocol)
841 {
842 checkNotStarted();
843
844 _sslProtocol = protocol;
845 }
846
847
848
849
850
851
852
853 public String getSecureRandomAlgorithm()
854 {
855 return _secureRandomAlgorithm;
856 }
857
858
859
860
861
862
863
864
865 public void setSecureRandomAlgorithm(String algorithm)
866 {
867 checkNotStarted();
868
869 _secureRandomAlgorithm = algorithm;
870 }
871
872
873
874
875
876 public String getSslKeyManagerFactoryAlgorithm()
877 {
878 return (_keyManagerFactoryAlgorithm);
879 }
880
881
882
883
884
885
886 public void setSslKeyManagerFactoryAlgorithm(String algorithm)
887 {
888 checkNotStarted();
889
890 _keyManagerFactoryAlgorithm = algorithm;
891 }
892
893
894
895
896
897 public String getTrustManagerFactoryAlgorithm()
898 {
899 return (_trustManagerFactoryAlgorithm);
900 }
901
902
903
904
905
906 public boolean isTrustAll()
907 {
908 return _trustAll;
909 }
910
911
912
913
914
915 public void setTrustAll(boolean trustAll)
916 {
917 _trustAll = trustAll;
918 }
919
920
921
922
923
924
925
926 public void setTrustManagerFactoryAlgorithm(String algorithm)
927 {
928 checkNotStarted();
929
930 _trustManagerFactoryAlgorithm = algorithm;
931 }
932
933
934
935
936
937 public String getCrlPath()
938 {
939 return _crlPath;
940 }
941
942
943
944
945
946
947 public void setCrlPath(String crlPath)
948 {
949 checkNotStarted();
950
951 _crlPath = crlPath;
952 }
953
954
955
956
957
958
959 public int getMaxCertPathLength()
960 {
961 return _maxCertPathLength;
962 }
963
964
965
966
967
968
969
970 public void setMaxCertPathLength(int maxCertPathLength)
971 {
972 checkNotStarted();
973
974 _maxCertPathLength = maxCertPathLength;
975 }
976
977
978
979
980
981 public SSLContext getSslContext()
982 {
983 if (!isStarted())
984 throw new IllegalStateException(getState());
985 return _context;
986 }
987
988
989
990
991
992
993 public void setSslContext(SSLContext sslContext)
994 {
995 checkNotStarted();
996
997 _context = sslContext;
998 }
999
1000
1001
1002
1003
1004
1005
1006
1007 protected KeyStore loadKeyStore() throws Exception
1008 {
1009 return _keyStore != null ? _keyStore : getKeyStore(_keyStoreInputStream,
1010 _keyStorePath, _keyStoreType, _keyStoreProvider,
1011 _keyStorePassword==null? null: _keyStorePassword.toString());
1012 }
1013
1014
1015
1016
1017
1018
1019
1020
1021 protected KeyStore loadTrustStore() throws Exception
1022 {
1023 return _trustStore != null ? _trustStore : getKeyStore(_trustStoreInputStream,
1024 _trustStorePath, _trustStoreType, _trustStoreProvider,
1025 _trustStorePassword==null? null: _trustStorePassword.toString());
1026 }
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046 @Deprecated
1047 protected KeyStore getKeyStore(InputStream storeStream, String storePath, String storeType, String storeProvider, String storePassword) throws Exception
1048 {
1049 return CertificateUtils.getKeyStore(storeStream, storePath, storeType, storeProvider, storePassword);
1050 }
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063 protected Collection<? extends CRL> loadCRL(String crlPath) throws Exception
1064 {
1065 return CertificateUtils.loadCRL(crlPath);
1066 }
1067
1068
1069 protected KeyManager[] getKeyManagers(KeyStore keyStore) throws Exception
1070 {
1071 KeyManager[] managers = null;
1072
1073 if (keyStore != null)
1074 {
1075 KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(_keyManagerFactoryAlgorithm);
1076 keyManagerFactory.init(keyStore,_keyManagerPassword == null?(_keyStorePassword == null?null:_keyStorePassword.toString().toCharArray()):_keyManagerPassword.toString().toCharArray());
1077 managers = keyManagerFactory.getKeyManagers();
1078
1079 if (_certAlias != null)
1080 {
1081 for (int idx = 0; idx < managers.length; idx++)
1082 {
1083 if (managers[idx] instanceof X509KeyManager)
1084 {
1085 managers[idx] = new AliasedX509ExtendedKeyManager(_certAlias,(X509KeyManager)managers[idx]);
1086 }
1087 }
1088 }
1089 }
1090
1091 return managers;
1092 }
1093
1094
1095 protected TrustManager[] getTrustManagers(KeyStore trustStore, Collection<? extends CRL> crls) throws Exception
1096 {
1097 TrustManager[] managers = null;
1098 if (trustStore != null)
1099 {
1100
1101 if (_validatePeerCerts && _trustManagerFactoryAlgorithm.equalsIgnoreCase("PKIX"))
1102 {
1103 PKIXBuilderParameters pbParams = new PKIXBuilderParameters(trustStore,new X509CertSelector());
1104
1105
1106 pbParams.setMaxPathLength(_maxCertPathLength);
1107
1108
1109 pbParams.setRevocationEnabled(true);
1110
1111 if (crls != null && !crls.isEmpty())
1112 {
1113 pbParams.addCertStore(CertStore.getInstance("Collection",new CollectionCertStoreParameters(crls)));
1114 }
1115
1116 if (_enableCRLDP)
1117 {
1118
1119 System.setProperty("com.sun.security.enableCRLDP","true");
1120 }
1121
1122 if (_enableOCSP)
1123 {
1124
1125 Security.setProperty("ocsp.enable","true");
1126
1127 if (_ocspResponderURL != null)
1128 {
1129
1130 Security.setProperty("ocsp.responderURL", _ocspResponderURL);
1131 }
1132 }
1133
1134 TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(_trustManagerFactoryAlgorithm);
1135 trustManagerFactory.init(new CertPathTrustManagerParameters(pbParams));
1136
1137 managers = trustManagerFactory.getTrustManagers();
1138 }
1139 else
1140 {
1141 TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(_trustManagerFactoryAlgorithm);
1142 trustManagerFactory.init(trustStore);
1143
1144 managers = trustManagerFactory.getTrustManagers();
1145 }
1146 }
1147
1148 return managers;
1149 }
1150
1151
1152
1153
1154
1155
1156
1157
1158 public void checkKeyStore()
1159 {
1160 if (_context != null)
1161 return;
1162
1163
1164 if (_keyStore == null && _keyStoreInputStream == null && _keyStorePath == null)
1165 throw new IllegalStateException("SSL doesn't have a valid keystore");
1166
1167
1168
1169 if (_trustStore == null && _trustStoreInputStream == null && _trustStorePath == null)
1170 {
1171 _trustStore = _keyStore;
1172 _trustStorePath = _keyStorePath;
1173 _trustStoreInputStream = _keyStoreInputStream;
1174 _trustStoreType = _keyStoreType;
1175 _trustStoreProvider = _keyStoreProvider;
1176 _trustStorePassword = _keyStorePassword;
1177 _trustManagerFactoryAlgorithm = _keyManagerFactoryAlgorithm;
1178 }
1179
1180
1181 if (_keyStoreInputStream != null && _keyStoreInputStream == _trustStoreInputStream)
1182 {
1183 try
1184 {
1185 ByteArrayOutputStream baos = new ByteArrayOutputStream();
1186 IO.copy(_keyStoreInputStream, baos);
1187 _keyStoreInputStream.close();
1188
1189 _keyStoreInputStream = new ByteArrayInputStream(baos.toByteArray());
1190 _trustStoreInputStream = new ByteArrayInputStream(baos.toByteArray());
1191 }
1192 catch (Exception ex)
1193 {
1194 throw new IllegalStateException(ex);
1195 }
1196 }
1197 }
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208 public String[] selectProtocols(String[] enabledProtocols, String[] supportedProtocols)
1209 {
1210 Set<String> selected_protocols = new HashSet<String>();
1211
1212
1213 if (_includeProtocols!=null)
1214 {
1215
1216 for (String protocol : supportedProtocols)
1217 if (_includeProtocols.contains(protocol))
1218 selected_protocols.add(protocol);
1219 }
1220 else
1221 selected_protocols.addAll(Arrays.asList(enabledProtocols));
1222
1223
1224
1225 if (_excludeProtocols != null)
1226 selected_protocols.removeAll(_excludeProtocols);
1227
1228 return selected_protocols.toArray(new String[selected_protocols.size()]);
1229 }
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240 public String[] selectCipherSuites(String[] enabledCipherSuites, String[] supportedCipherSuites)
1241 {
1242 Set<String> selected_ciphers = new HashSet<String>();
1243
1244
1245 if (_includeCipherSuites!=null)
1246 {
1247
1248 for (String cipherSuite : supportedCipherSuites)
1249 if (_includeCipherSuites.contains(cipherSuite))
1250 selected_ciphers.add(cipherSuite);
1251 }
1252 else
1253 selected_ciphers.addAll(Arrays.asList(enabledCipherSuites));
1254
1255
1256
1257 if (_excludeCipherSuites != null)
1258 selected_ciphers.removeAll(_excludeCipherSuites);
1259 return selected_ciphers.toArray(new String[selected_ciphers.size()]);
1260 }
1261
1262
1263
1264
1265
1266 protected void checkNotStarted()
1267 {
1268 if (isStarted())
1269 throw new IllegalStateException("Cannot modify configuration when "+getState());
1270 }
1271
1272
1273
1274
1275
1276 public boolean isEnableCRLDP()
1277 {
1278 return _enableCRLDP;
1279 }
1280
1281
1282
1283
1284
1285 public void setEnableCRLDP(boolean enableCRLDP)
1286 {
1287 checkNotStarted();
1288
1289 _enableCRLDP = enableCRLDP;
1290 }
1291
1292
1293
1294
1295
1296 public boolean isEnableOCSP()
1297 {
1298 return _enableOCSP;
1299 }
1300
1301
1302
1303
1304
1305 public void setEnableOCSP(boolean enableOCSP)
1306 {
1307 checkNotStarted();
1308
1309 _enableOCSP = enableOCSP;
1310 }
1311
1312
1313
1314
1315
1316 public String getOcspResponderURL()
1317 {
1318 return _ocspResponderURL;
1319 }
1320
1321
1322
1323
1324
1325 public void setOcspResponderURL(String ocspResponderURL)
1326 {
1327 checkNotStarted();
1328
1329 _ocspResponderURL = ocspResponderURL;
1330 }
1331
1332
1333
1334
1335
1336 public void setKeyStore(KeyStore keyStore)
1337 {
1338 checkNotStarted();
1339
1340 _keyStore = keyStore;
1341 }
1342
1343
1344
1345
1346
1347 public void setTrustStore(KeyStore trustStore)
1348 {
1349 checkNotStarted();
1350
1351 _trustStore = trustStore;
1352 }
1353
1354
1355
1356
1357
1358 public void setKeyStoreResource(Resource resource)
1359 {
1360 checkNotStarted();
1361
1362 try
1363 {
1364 _keyStoreInputStream = resource.getInputStream();
1365 }
1366 catch (IOException e)
1367 {
1368 throw new InvalidParameterException("Unable to get resource "+
1369 "input stream for resource "+resource.toString());
1370 }
1371 }
1372
1373
1374
1375
1376
1377 public void setTrustStoreResource(Resource resource)
1378 {
1379 checkNotStarted();
1380
1381 try
1382 {
1383 _trustStoreInputStream = resource.getInputStream();
1384 }
1385 catch (IOException e)
1386 {
1387 throw new InvalidParameterException("Unable to get resource "+
1388 "input stream for resource "+resource.toString());
1389 }
1390 }
1391
1392
1393
1394
1395
1396 public boolean isSessionCachingEnabled()
1397 {
1398 return _sessionCachingEnabled;
1399 }
1400
1401
1402
1403
1404
1405 public void setSessionCachingEnabled(boolean enableSessionCaching)
1406 {
1407 _sessionCachingEnabled = enableSessionCaching;
1408 }
1409
1410
1411
1412
1413
1414 public int getSslSessionCacheSize()
1415 {
1416 return _sslSessionCacheSize;
1417 }
1418
1419
1420
1421
1422
1423 public void setSslSessionCacheSize(int sslSessionCacheSize)
1424 {
1425 _sslSessionCacheSize = sslSessionCacheSize;
1426 }
1427
1428
1429
1430
1431
1432 public int getSslSessionTimeout()
1433 {
1434 return _sslSessionTimeout;
1435 }
1436
1437
1438
1439
1440
1441 public void setSslSessionTimeout(int sslSessionTimeout)
1442 {
1443 _sslSessionTimeout = sslSessionTimeout;
1444 }
1445
1446
1447
1448 public SSLServerSocket newSslServerSocket(String host,int port,int backlog) throws IOException
1449 {
1450 SSLServerSocketFactory factory = _context.getServerSocketFactory();
1451
1452 SSLServerSocket socket =
1453 (SSLServerSocket) (host==null ?
1454 factory.createServerSocket(port,backlog):
1455 factory.createServerSocket(port,backlog,InetAddress.getByName(host)));
1456
1457 if (getWantClientAuth())
1458 socket.setWantClientAuth(getWantClientAuth());
1459 if (getNeedClientAuth())
1460 socket.setNeedClientAuth(getNeedClientAuth());
1461
1462 socket.setEnabledCipherSuites(selectCipherSuites(
1463 socket.getEnabledCipherSuites(),
1464 socket.getSupportedCipherSuites()));
1465 socket.setEnabledProtocols(selectProtocols(socket.getEnabledProtocols(),socket.getSupportedProtocols()));
1466
1467 return socket;
1468 }
1469
1470
1471 public SSLSocket newSslSocket() throws IOException
1472 {
1473 SSLSocketFactory factory = _context.getSocketFactory();
1474
1475 SSLSocket socket = (SSLSocket)factory.createSocket();
1476
1477 if (getWantClientAuth())
1478 socket.setWantClientAuth(getWantClientAuth());
1479 if (getNeedClientAuth())
1480 socket.setNeedClientAuth(getNeedClientAuth());
1481
1482 socket.setEnabledCipherSuites(selectCipherSuites(
1483 socket.getEnabledCipherSuites(),
1484 socket.getSupportedCipherSuites()));
1485 socket.setEnabledProtocols(selectProtocols(socket.getEnabledProtocols(),socket.getSupportedProtocols()));
1486
1487 return socket;
1488 }
1489
1490
1491 public SSLEngine newSslEngine(String host,int port)
1492 {
1493 SSLEngine sslEngine=isSessionCachingEnabled()
1494 ?_context.createSSLEngine(host, port)
1495 :_context.createSSLEngine();
1496
1497 customize(sslEngine);
1498 return sslEngine;
1499 }
1500
1501
1502 public SSLEngine newSslEngine()
1503 {
1504 SSLEngine sslEngine=_context.createSSLEngine();
1505 customize(sslEngine);
1506 return sslEngine;
1507 }
1508
1509
1510 public void customize(SSLEngine sslEngine)
1511 {
1512 if (getWantClientAuth())
1513 sslEngine.setWantClientAuth(getWantClientAuth());
1514 if (getNeedClientAuth())
1515 sslEngine.setNeedClientAuth(getNeedClientAuth());
1516
1517 sslEngine.setEnabledCipherSuites(selectCipherSuites(
1518 sslEngine.getEnabledCipherSuites(),
1519 sslEngine.getSupportedCipherSuites()));
1520
1521 sslEngine.setEnabledProtocols(selectProtocols(sslEngine.getEnabledProtocols(),sslEngine.getSupportedProtocols()));
1522 }
1523
1524
1525 public String toString()
1526 {
1527 return String.format("%s@%x(%s,%s)#%s",
1528 getClass().getSimpleName(),
1529 hashCode(),
1530 _keyStorePath,
1531 _trustStorePath,
1532 getState());
1533 }
1534 }